springboot-过滤器与xxs攻击防御

时间:2025-04-28 07:59:27

过滤器解决XXS(脚本注入)

1.实现Filter接口

public class XssFilter implements Filter {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
       XssRequestWrapper xssRequestWrapper = new XssRequestWrapper((HttpServletRequest) servletRequest);
        (xssRequestWrapper,servletResponse);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void destroy() {

    }
}

 2.创建XssRequestWrapper类


import ;

import ;
import ;
import ;
import ;
import .*;
import ;

public class XssRequestWrapper extends HttpServletRequestWrapper {

    public XssRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    /**
     *
     * @param name
     * @return
     */
    @Override
    public String getHeader(String name) {
        String value = (name);
        if((value)){
            value =  (value);
        }
        return value;
    }

    @Override
    public String getParameter(String name) {
        //获取页面数据
        String value = (name);
        //进行字符转义
        if((value)){
            value = (value);
            ("转义后的字符:" + value);
        }
        return  value;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] values = (name);
        if(values != null){
            String[] escValues = new String[];
            for (int i=0; i<; i++) {
                if((values[i])){
                    escValues[i] = (values[i]);
                }
            }
            return escValues;
        }
        return (name);
    }
/**
处理json
*/
    @Override
    public ServletInputStream getInputStream() throws IOException {
        InputStream in= ();
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        int len = -1;
        byte[] buffer = new byte[1024];//1kb
        while ((len = (buffer)) != -1) {
            (buffer, 0, len);
        }
        ();
        String json = new String(());
        json=("<","&lt;").replaceAll(">","&gt;");
        InputStream bain = new ByteArrayInputStream(());
        //匿名内部类,只需要重写read方法,把转义后的值,创建成ServletInputStream对象
        return new ServletInputStream() {
            @Override
            public int read() throws IOException {
                return ();
            }

            @Override
            public boolean isFinished() {
                return false;
            }

            @Override
            public boolean isReady() {
                return false;
            }

            @Override
            public void setReadListener(ReadListener readListener) {

            }
        };
    }

}

3.配置类中注册FilterRegistrationBean

@Bean
public  FilterRegistrationBean filterRegistrationBean(){
    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
    (new XssFilter());
    ("/*");
    return filterRegistrationBean;
}

相关文章